Front Page

Column One

• CJOG's 5 Ws
• Our Members
• Our Principles
• Position Papers & Petitions
• CJOG Update
• FOI Calendar

Opening the Government

Tools for FOI Work

• Useful Web Sites
• Help By Topic
• Experts
• Reports, Resources
• Finding Federal Documents

FYI on FOI

• Backgrounders
• Pending Legislation
• Speaking Out
• Commentary
• How You Can Help Open Government

Energy Department Sets Civil Penalties for the Mishandling of Classified Data

---

 

[Federal Register: January 26, 2005 (Volume 70, Number 16)]

[Rules and Regulations] [Page 3599-3614]

DEPARTMENT OF ENERGY

 

10 CFR Part 824 [Docket No. SO-RM-00-01] RIN 1992-AA28

 

Procedural Rules for the Assessment of Civil Penalties for

Classified Information Security Violations

 

AGENCY: Office of Security, Department of Energy.

 

ACTION: Final rule. EFFECTIVE DATE: February 25, 2005.

 

SUMMARY: The Department of Energy (DOE) is today publishing a final

rule to assist in implementing section 234B of the Atomic Energy Act of

1954. Section 234B makes DOE contractors and their subcontractors

subject to civil penalties for violations of DOE rules, regulations and

orders regarding the safeguarding and security of Restricted Data and

other classified information.

 

I. Introduction

 

Pursuant to the Atomic Energy Act of 1954 and other laws, DOE

carries out a variety of national defense and energy research,

development and demonstration activities at facilities around the

nation that are owned by the United States Government, under the

control and custody of DOE, and operated by management and operating

contractors under the supervision of DOE. The use of private industry

and educational institutions to operate these kinds of facilities,

including the national laboratories and their predecessors, dates back

to the Atomic Energy Commission, if not to the Manhattan Project. It

has allowed the United States to attract the best minds to do the

cutting edge scientific, engineering and technical work critical to

DOE's national security mission. By its nature, that work involves

highly classified information regarding atomic weapons and other

weapons of mass destruction; nuclear naval propulsion; intelligence

related to terrorism and other topics of great sensitivity. For more

than 50 years, DOE, like its predecessor the Atomic Energy Commission,

has had to balance two sets of considerations. On the one hand, DOE

must attract the best minds that it can to do cutting edge scientific

work at the heart of DOE's national security mission, and DOE must

permit its operating and management contractors to function in a manner

that permits sufficient dissemination of classified work to be put to

the various uses that U.S. national security demands. At the same time,

it obviously must take all prudent steps to prevent enemies of this

nation from gaining access to work that could be used to the detriment,

rather than the enhancement, of vital national security interests.

Over the years periodic contractor lapses in adherence to processes

designed to safeguard Restricted Data or other classified information

have given rise to concerns about the adequacy of efforts by

contractors to protect this kind of information. In order to give DOE

an additional tool to assure that these processes are being followed,

Congress enacted section 234B of the Atomic Energy Act of 1954. This

section grants DOE new authority to impose civil penalties for

violations of DOE regulations and orders directed to the safeguarding

of this kind of information, as well as confirming DOE's preexisting

authority to withhold portions of a contractor's fee by reason of poor

performance arising out of such violations. DOE had previously

promulgated regulations specifying how it would carry out this latter

authority, and today's rule specifies the manner in which it will carry

out its civil penalty authority. DOE believes that today's regulation

will assist in providing greater emphasis on a culture of security

awareness in existing DOE operations, and strong incentives for

contractors to identify and correct noncompliance conditions and

processes in order to protect classified information of vital

significance to this nation. It will also facilitate, encourage and

support contractor initiatives for the prompt identification and

correction of security problems.

Section 3147 of the National Defense Authorization Act for Fiscal

Year 2000 (Public Law 106-65) added a new section 234B to the Atomic

Energy Act of 1954 (the Act) (42 U.S.C. 2282b). Section 234B has two

subsections. The first subsection, subsection a., provides that any

person who: (1) Has entered into a contract or agreement with DOE, or a

subcontract or subagreement thereto, and (2) violates (or whose

employee violates) any applicable rule, regulation, or order prescribed

or otherwise issued by the Secretary of Energy pursuant to the Act

relating to the safeguarding or security of Restricted Data or other

classified or sensitive information, shall be subject to a civil

penalty not to exceed 0,000 for each such violation. The second

subsection, subsection b., requires that each DOE contract contain

provisions which provide an appropriate reduction in the fees or

amounts paid to the contractor under the contract in the event of a

violation by the contractor or contractor employee of any rule,

regulation or order relating to the safeguarding or security of

Restricted Data or other classified or sensitive information.

DOE elected to implement section 234B in two separate rulemakings,

one establishing procedural rules to implement subsection a. similar to

the procedural rules to achieve compliance with DOE nuclear safety

requirements found at 10 CFR part 820, ``Procedural Rules for DOE

Nuclear Activities,'' and the other establishing a procurement clause

like the existing clause for conditional payment of fee, profit or

incentives, 48 CFR (DEAR) 970.5215-3. On February 1, 2001, DOE

published a notice of proposed rulemaking (NOPR) (66 FR 8560) to

implement subsection b. of section 234B, concerning reductions in fees

or amounts paid to contractors in the event of a security violation.

DOE received numerous comments in response to that notice, and

responded to them in a notice of interim final rulemaking on December

10, 2003 (68 FR 68771).

On April 1, 2002, DOE published a NOPR at 67 FR 15339 to solicit

comments on its proposed framework for an enforcement program for the

civil penalty provisions in subsection a. The NOPR requested written

comments by July 1, 2002, and invited oral comments at public hearings

held in Las Vegas, Nevada on May 22, 2002, and in Washington, DC on May

29, 2002. Written comments were received from eleven sources and oral

comments from two. All comments were from representatives of DOE

contractors. DOE responds to the major issues raised in comments in

part II of this SUPPLEMENTARY INFORMATION.

To a large extent, the regulations in this notice of final

rulemaking are self-explanatory. There are, however, several

fundamental features which were discussed in the NOPR that bear

repeating here. DOE will apply civil penalties only to violations of

requirements for the protection of classified information. Classified

information is defined as ``Restricted Data'' or ``Formerly Restricted

Data'' protected against unauthorized disclosure pursuant to the Act

and ``National Security Information'' protected against unauthorized

disclosure pursuant to Executive Order 12958, as amended on March 25,

2003, or any predecessor or successor order. Although section 234B

refers to ``sensitive information,'' DOE does not employ this term in

today's final regulations because: (1) Neither the statute nor its

legislative history defines the term; (2) There is no commonly accepted

definition of ``sensitive information'' within DOE or the Executive

Branch; and (3) the legislative history of subsection a. indicates that

the Congress was concerned with unauthorized disclosures of classified

information. The additional category of unclassified information that

might merit inclusion in a regulation imposing civil penalties is

Unclassified Controlled Nuclear Information (UCNI), a category of

unclassified government information concerning atomic energy defense

programs established by section 148 of the Act (42 U.S.C. 2168).

However, DOE already has a preexisting regime in place with respect to

such information that includes civil penalties. Section 148 provides

that any person who violates a regulation or order issued under that

section shall be subject to a civil penalty not to exceed 0,000. DOE

implemented the provisions of section 148 in regulations contained in

10 CFR part 1017. Since part 1017 already imposes a civil monetary penalty

for unauthorized dissemination of UCNI comparable to

the penalty specified in section 234B, DOE determined that it is

unnecessary to include UCNI in regulations implementing section 234B.

Today's final regulations permit DOE to assess civil penalties for

violations of regulations, rules or orders described in Sec. 824.4 of

part 824. These are violations of: (1) 10 CFR part 1016 (``Safeguarding

of Restricted Data''); (2) 10 CFR part 1045 (``Nuclear Classification

and Declassification''); or (3) any other DOE regulation or rule

(including any DOE order or manual enforceable under a contractual

provision) related to the safeguarding or security of Restricted Data

or other classified information that specifically indicates that

violation of its provisions may result in a civil penalty pursuant to

section 234B, and (4) compliance orders issued pursuant to part 824.

In addition, section 161 of the Act broadly authorizes DOE to

prescribe regulations and issue orders deemed necessary to protect the

common defense and security (42 U.S.C. 2201). Consistent with the

proposed rule, part 824 implements this authority by providing that the

Secretary may issue a compliance order requiring a person to take

corrective action if a person by act or omission causes, or creates a

risk of, the loss, compromise or unauthorized disclosure of classified

information even if that person has not violated a rule or regulation

specified in Sec. 824.4(a) of part 824. Violation of the compliance

order may also result in the assessment of a civil penalty if the order

so specifies. While the recipient of a compliance order may request the

Secretary to rescind or modify the compliance order, the request does

not stay the effectiveness of the order unless the Secretary issues a

new order to that effect. The compliance order provisions in 10 CFR

824.4(b) and (c) are modeled after a similar mechanism in 10 CFR part

820, the rule implementing procedures for section 234A of the Act with

respect to nuclear safety.

Today's final rule only applies to contractors and others who have

entered into agreements or contracts with DOE or subagreements or

subcontracts thereto. This is because subsection a. of section 234B

provides that what triggers the availability of a civil penalty is the

fact that a ``person * * * has entered into a contract or agreement

with the Department of Energy, or a subcontract or subagreement

thereto, and * * * violates (or whose employee violates) any applicable

rule, regulation or order.'' It is clear from the statutory language,

particularly the parenthetical ``or whose employee violates'' that

Congress intended contractors and their subcontractors or suppliers to

be responsible for the acts or omissions of their employees who fail to

observe these rules, regulations, and orders, rather than contemplating

the imposition of civil penalties on employees themselves.

Consequently, part 824 provides for the assessment of civil penalties

against contractors or subcontractors for their employees' actions but

not against the employees themselves. The Atomic Energy Act establishes

a separate regime of criminal penalties applicable to individuals for

the knowing unauthorized communication of Restricted Data. See sections

224 and 227 of the Atomic Energy Act (42 U.S.C. 2274, 2277).

Subsection d. of section 234B sets limitations on civil penalties

assessed against certain nonprofit entities specified at subsection d.

of section 234A (hereafter the ``named contractors''). For each of the

named contractors, the statute provides that no civil penalty may be

assessed until the entity enters into a new contract with DOE after

October 5, 1999 (the date of enactment) or an extension of a current

contract with DOE after October 5, 1999. The statute also limits the

total amount of civil penalties assessed against the named contractors

in any fiscal year to the total amount of fees paid to that entity in

that fiscal year. It should be noted that the limitations applicable to

the named contractors also apply to their subcontractors and suppliers

regardless of whether they are for-profit or nonprofit.

The fee that represents the cap for civil penalties of nonprofits

will be determined pursuant to the provisions of the specific contracts

covered by the limitation on nonprofits in section 234B.d.(2).

DOE has decided not to finalize its proposal to cap civil penalties

assessed against other DOE contractors that are nonprofit educational

institutions under the United States Internal Revenue Code in the same

manner as penalties are capped for the named contractors. The statute

identifies only the named contractors as those that should receive this

treatment. While Congress gave DOE authority to mitigate civil

penalties, DOE has concluded that there is not a strong enough case to

warrant using that authority in a categorical fashion to cap these

penalties without regard to any other consideration for contractor

security violations by entities other than those that Congress

determined should have their penalties capped in this fashion. Rather,

DOE has concluded that its mitigation authority would be better

exercised on a case-by-case basis, taking into account all

circumstances, both aggravating and extenuating. The final rule and

enforcement policy make clear that DOE plans to exercise that authority

to mitigate civil penalties based on many considerations, including an

entity's financial circumstances. That should be sufficient to ensure

that the civil penalty authority is not exercised in a manner that

discourages non-profit institutions from seeking DOE contracts.

Finally, our decision is consistent with DOE's proposed regulations for

10 CFR part 851 to implement section 234C of the Atomic Energy Act

(civil penalties for worker health and safety violations), the most

recent legislation providing DOE civil penalty authority.

DOE also has determined on a somewhat different approach from the

one in the proposed rule for allocating responsibility among various

DOE officials for the performance of certain administrative

responsibilities relating to the imposition of civil penalties,

including issuance of the preliminary notice of violation, issuance of

final notice of violation, and settlement of enforcement actions. DOE's

NOPR called for all of these responsibilities to be carried out by the

Deputy Secretary on the recommendation of the Director of the Office of

Security. DOE has concluded that there is no compelling reason for

making the Deputy Secretary responsible for these functions in the

first instance. Moreover, DOE believes it is desirable to make the

procedures for part 824 consistent with the procedural framework in 10

CFR part 820 (civil penalties for nuclear safety violations) and the

proposed part 851 regulations (civil penalties for worker health and

safety violations). In both those frameworks, a DOE official

subordinate to the Secretary and the Deputy Secretary is the official

charged with initiating enforcement and related responsibilities in the

case of non-NNSA contractors; in the case of NNSA contractors, the

subordinate DOE official makes a recommendation to the NNSA

Administrator, who then determines whether or not to accept that

recommendation. In the case of a dispute between the responsible DOE

official and the NNSA Administrator, the matter may be referred to the

Deputy Secretary.

The part 824 rule adopted today adopts a similar framework, under

which the Secretary designated a subordinate DOE official to carry out

the administrative responsibilities in the case of non-NNSA

contractors, but in the case of NNSA contractors this official makes a

recommendation to the NNSA Administrator who decides whether or not to accept that

recommendation. If the NNSA Administrator disagrees with the cognizant

DOE official's recommendation, and the disagreement cannot be resolved

by the two officials, the DOE official may refer the matter to the

Deputy Secretary for resolution.

The Secretary of Energy has approved this notice of final

rulemaking for publication.